CosmicSting Exploit Targets Adobe Commerce and Magento Stores, Impacting 5% of All Stores
October 2, 2024
Cybersecurity researchers have revealed that a security vulnerability, dubbed CosmicSting, has been exploited by malicious actors, resulting in the compromise of 5% of all Adobe Commerce and Magento stores. This critical flaw, tracked as CVE-2024-34102, could lead to remote code execution due to an improper restriction of XML external entity reference (XXE). The vulnerability was patched by Adobe in June 2024, but despite this, e-commerce sites are still being breached at a rate of three to five per hour.
Dutch security firm, Sansec, has described CosmicSting as the worst bug to affect Magento and Adobe Commerce stores in the past two years. The flaw has been widely exploited, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities catalog in mid-July 2024.
Some of the attacks have involved the use of the flaw to steal Magento's secret encryption key. This key is then used to generate JSON Web Tokens (JWTs) with full administrative API access. The threat actors have been seen leveraging the Magento REST API to inject malicious scripts. This suggests that the latest fix alone is not enough to secure against the attack, and site owners need to rotate the encryption keys.
In August 2024, subsequent attacks have combined CosmicSting with CNEXT (CVE-2024-2961), a vulnerability in the iconv library within the GNU C library (glibc), to achieve remote code execution. 'CosmicSting (CVE-2024-34102) allows arbitrary file reading on unpatched systems. When combined with CNEXT (CVE-2024-2961), threat actors can escalate to remote code execution, taking over the entire system,' Sansec stated.
The ultimate aim of these breaches is to establish persistent, covert access on the host via GSocket and insert rogue scripts that allow for the execution of arbitrary JavaScript received from the attacker in order to pilfer payment data entered by users on the sites. Several companies, including Ray Ban, National Geographic, Cisco, Whirlpool, and Segway, have been victimized by CosmicSting attacks, with at least seven distinct groups participating in the exploitation efforts.
'Merchants are strongly advised to upgrade to the latest version of Magento or Adobe Commerce,' Sansec advised. 'They should also rotate secret encryption keys, and ensure that old keys are invalidated.'
Related News
- Cisco Merchandise Store Compromised by Hackers Using Malicious JavaScript
- CISA Updates Known Exploited Vulnerabilities Catalog with Adobe, SolarWinds, and VMware Bugs
- Major Supply Chain Attack Impacts Over 110,000 Websites Through Hijacked Polyfill Service
- CosmicSting Vulnerability Threatens Majority of Adobe Commerce and Magento Websites
Latest News
- Critical Security Flaws Detected in Optigo Networks ONS-S8 Aggregation Switch
- Zimbra Email Servers Under Attack: Active Exploitation of Critical RCE Flaw
- Critical Vulnerabilities in Tank Gauge Systems Could Lead to Remote Attacks
- Critical Vulnerability in NVIDIA Container Toolkit Allows Complete Host System Control
- Storm-0501 Ransomware Threat Actor Expands Attacks to Hybrid Cloud Environments
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.